3b1 security and removal of ua

John R. MacMillan john at chance.UUCP
Fri Apr 12 15:25:48 AEST 1991

|There is a function in the TAM library, eprintf(3T), that is used to
|print error messages.  It is how the ! and !! icons get on the first
|line of your screen.  Also, the calendar icon if you are using the
|pcal program.
|I believe eprintf writes to /dev/error, which is read by smgr.
|It all seems pretty innocuous, display an icon, print a message when
|a user clicks on the icon.  No danger there.
|EXCEPT, one of the arguments to eprintf(3T) is what to do when the
|user clicks on the icon.  And one of the possibilities is ST_EXEC;
|execute a program!!!
|Guess which user id, and in which directory the program is executed;
|You security hounds are right: by root and in the root directory.

Tom Kelly <tom at ancilla> pointed this out at one time.  I think he also
ST_LOG was a problem, since you can use it to write any file (eg.
/etc/passwd), as root.

Very scary, and just another reason to not run smgr.  (I don't; I use

|So, essentially, anyone with access to your C compiler has access to
|your entire machine!

Who needs a C compiler?  Try:

echo ":D:E::/usr/bin/id\c" > /dev/error

|Sleep comfortably last night?

I slept just fine...

More information about the Comp.sys.3b1 mailing list